Subscribe

STUCCOMONTANA: NSA Exploit of the Day

(TS//SI//REL) STUCCOMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card.

(TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process on the target operating system. The vector of attack is the modification of the target's BIOS. The modification will add the necessary software to the BIOS and modify its software to execute the SIERRAMONTANA implant at the end of its native System Management Mode (SMM) handler.

(TS//SI//REL) STUCCOMONTANA must support all modern versions of JUNOS, which is a version of FreeBSD customized by Juniper. Upon system boot, the JUNOS operating system is modified in memory to run the implant, and provide persistent kernel modifications to support implant execution.

(TS//SI//REL) STUCCOMONTANA is the cover term for the persistence technique to deploy a DNT implant to Juniper T-Series routers.

Unit Cost: $

Status: (U//FOUO) STUCCOMONTANA under development and is expected to be released by 30 November 2008.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Comments

I find stepping through these slides one at a time quite the worthwhile project so thank s for providing this forum. We've got no one to blame but ourselves if those that can don't add informed commentary to it.

True, there could have been some bundling of very similar ones. But look at the crappy coverage of the most important leak to date in the NY Times -- one story three weeks late making light of NSA antics, no docs, with minimal added value from unnamed senior officials who aren't familiar with the docs either.

I can see from the Times coverage why no one in their right mind would ever bother leaking to them. Let's hope the Guardian didn't share too much -- the Times no doubt forwarded all that they got straight to the NSA, just like they did with the Cointelpro fbi docs, ditto with all the other stories they've suppressed or delayed over the years in service to govt.

Does anyone yet know who leaked these documents and to what end? In part, it seems like this is a catalog of what we'd expect a modern (or at least modern c. 2008) spy agency would be doing with our money. The descriptions read like a gee-whiz compendium of cool gear, and imply that the NSA is doing much more than vacuuming up wholesale personal information from citizens.

Is it reasonable to propose that this "leak" may be a propaganda effort from the NSA, with Congress perhaps being the primary target?

2. A second implant to make the hack persistent and call home with the data stream.

3. SMM pawned

4. Juniper Edge router with Juno OS

Again, the reboot of the router would seem to be the indication of an infection. Even on Microsquish Servers if there is a reboot a window pops up asking for a reason (a hint to check the system for infection). I would assume other vendors have that function also.

I see a huge opportunity for Anti-Virus vendors to get into BIOS AV products. Also, I have a feeling that someone is playing fast a loose at Juniper. I can only shake my head in disgust.

Here is awkward non-denial:

“SOLUTION:

“Juniper Networks recently became aware of, and is currently investigating, alleged security compromises of technology products dated from 2008 and made by a number of companies, including Juniper. We take allegations of this nature very seriously and are working actively to address any possible exploit paths. As a company that consistently operates with the highest of ethical standards, we are committed to maintaining the integrity and security of our products. We are also committed to the responsible disclosure of security vulnerabilities, and if necessary, will work closely with customers to implement any mitigation steps.

”The alleged security compromises included indications of "software implants" and a method for installing malicious code in BIOS. Juniper Networks is not aware of any such BIOS implants in our products and has not assisted anyone in the creation of such implants.

”Juniper maintains a Secure Development Lifecycle, and it is against Juniper policy to intentionally include "backdoors" that would potentially compromise our products or put our customers at risk.

”Juniper will continue to aggressively investigate this report as we do all reports of potential vulnerabilities in our products, and will continue to notify our customers according to our Security Incident Response Team policies.

@Tom Ames • January 17, 2014 8:01 PMDoes anyone yet know who leaked these documents and to what end? In part, it seems like this is a catalog of what we'd expect a modern (or at least modern c. 2008) spy agency would be doing with our money. The descriptions read like a gee-whiz compendium of cool gear, and imply that the NSA is doing much more than vacuuming up wholesale personal information from citizens.
Is it reasonable to propose that this "leak" may be a propaganda effort from the NSA, with Congress perhaps being the primary target?

Snowden grabbed the documents. I think that if you would claim Snowden was a black bag job sending out disinformation, one would be stretching it way beyond mind bending.

Identifying their command-control-and-exfiltration protocol on the network could help find broken firewalls and discourage NSA from accessing the already-broken ones. It could be used by other TAO products, too. There are challenges:

* Even if you recognize the protocol, you probably can't do really interesting things like remove implants remotely, because the actual meaningful content would be encrypted/authenticated.

* Who knows how many or few firewalls are actually broken right now.

* Of those firewalls, who knows how many have a persistence implant (rather than just getting broken anew on reboot).

* Now that this is public, they might've stopped communicating with and/or removed the implant from all or some target routers, to avoid discovery.

Getting a copy of the implant would be a huge win. Looking at BIOSes of routers from major service providers in as low-level a way as possible is about all I can think of.

I'd almost bet that the NSA's key hardened strategic targets--the governments/militaries who are not close US allies--have known the general shape of this for a long time. If Congress was right to be skeptical about Huawei equipment, then they might well have learned it by watching what we did to them. Allies + US citizens, on the other hand, only find out now.

The attack seems to rely on being able to re-flash the BIOS.
Presumably BIOSes are stored in some kind of EEPROM so that they can be updated.
Wouldn't it be a defense to put a jumper into the write-enable line of the EEPROM, so that to re-flash the BIOS requires somebody to physically plug in the jumper, and always take it out again after re-flashing with a known-good BIOS?
The OS can then check that the jumper is disabled before it completes booting, for example by executing the sequence to erase the entire EEPROM, which should fail if all is well.